{ "id": "f5b94335-d7a8-496f-857e-32350c164153", "created_at": "2026-04-06T00:21:30.911676Z", "updated_at": "2026-04-10T03:38:19.227404Z", "deleted_at": null, "sha1_hash": "f00ff9af320bbdd4570e2b64e503a397746c04f3", "title": "BlueHornet – One APT to Terrorize Them All", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98047, "plain_text": "BlueHornet – One APT to Terrorize Them All\r\nBy Research Team\r\nPublished: 2022-04-14 · Archived: 2026-04-05 14:35:42 UTC\r\nTable of contents\r\nIntroduction\r\nDebut\r\nNo Threat Group is Safe\r\nPoking the Bear\r\nHunting China and Russia\r\nAlibaba Cloud\r\nWeChat\r\nMyBank\r\nAmazon China\r\nWho is BlueHornet?\r\nOdd Announcement or Hard Truth\r\nCurtain Call\r\nSummary\r\nThe author\r\nThe Cyberint Research Team work round the clock to unearth the latest threats to SMBs and enterprises. They are\r\non top of the latest TTPs and monitor rising threat groups, malwares and trends.\r\nTable of contents\r\nIntroduction\r\nDebut\r\nNo Threat Group is Safe\r\nPoking the Bear\r\nHunting China and Russia\r\nAlibaba Cloud\r\nWeChat\r\nMyBank\r\nAmazon China\r\nWho is BlueHornet?\r\nOdd Announcement or Hard Truth\r\nCurtain Call\r\nSummary\r\nhttps://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nPage 1 of 10\n\nRelated Articles\r\nIntroduction\r\nOne thing that we’ve learned from the Russia-Ukraine conflict is that the cybersecurity and the\r\ncyber-warfare world is going to change, if it hasn’t already.\r\nWhile Anonymous, the TI Army of Ukraine, and more hacktivist groups are actively participating in\r\nthe conflict, a relatively new group brings something new to the table.\r\nAt first, BlueHornet, aka AgainstTheWest, aka APT49, seemed like a daring hacktivist group\r\ntargeting major organizations and APTs originating in Russia, China, Iran and North Korea, but\r\nrecent revelations by the group suggest that we are dealing with something much greater.\r\nEither if the group was hacktivists or nation-sponsored, we are convinced that they are one of the\r\nmore interesting groups currently in play.\r\nWith five different threat groups compromised and leaked by the BlueHornet crusade, including\r\nAPT28 (aka Fancy Bear), APT 38 (aka The Lazarus Group) and APT40 (aka Kryptonite Panda) after\r\nonly a few months of operation, this group’s capabilities position them as one of the best yet.\r\nAlthough the identity of the group’s puppeteer is unknown, the nation sponsoring BlueHornet,\r\nclearly has interests against China, Russia, Iran and North Korea.\r\nDebut\r\nLike other groups that emerged and went public on Twitter when the Russia-Ukraine conflict\r\nstarted, at glance, BlueHornet, seemed to be “yet another group” that joined the fight against\r\nRussia, but quickly they hit waves with several campaigns against threat groups supporting Russia\r\nwhile using more sophisticated and targeted attacks against their victims.\r\nNo Threat Group is Safe\r\nAs mentioned, BlueHornet, which was claimed by the group in the beginning, started out as a data\r\nleaks group named “AgainstTheWest” in around October 2021, found a handful of potential targets\r\nwhen about 30 groups sided with Russia at the beginning of the conflict. The Cyberint Research\r\nTeam documented the cyberwarfare map at the beginning of this huge event and ATW was one of\r\nthem.\r\nCOOMIGPROJECT\r\nThe talented hunters’ first prey was the French group CoomingProject. In the first days of the\r\nconflict, many groups took sides, and CoomingProject was no different. The group announced they\r\nwere siding with Russia and would target anyone challenging them (Figure 1).\r\nFigure 1: CoomingProject announcement of siding with Russia\r\nhttps://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nPage 2 of 10\n\nIt didn’t take much time, and a day after the announcement, BlueHornet published that it had leaked\r\nthe CoomingProject’s sensitive data to the relevant authorities in France (Figure 2).\r\nFigure 2: BlueHornet, aka AgainstTheWest, announcing leaking CoominProject data to the\r\nauthorities\r\nPoking the Bear\r\nWhile most threat groups and hacktivists try not to get in the way or have any sort of conflict with\r\nAPT groups, BlueHornet put APT groups on top of their “to-do list”.\r\nAfter a series of breaches published on the Telegram channel of various organizations that we will\r\nelaborate on later, on April 3, BlueHornet published highly sensitive information including not just\r\nemail accounts and social media profiles but also, family members, bank accounts, current location,\r\nand additional details about every aspect of the lives of five different members associated with\r\ndifferent APTs.\r\nAPT 3 – GOTHIC PANDA\r\nAPT3, aka Gothic Panda, is a nation-state sponsored group, originating in China, and have been\r\nactive since at least 2010.\r\nThe group mainly targets North America and Eastern Asia, while focusing on strategic sectors such\r\nas high tech, telecommunications, defense, aerospace, and more.\r\nThe first APT member that BlueHornet leaked was an individual who lives in Shanghai, as they\r\npublished highly sensitive information such as the street and room number where this individual\r\nlives, along with his phone number (Figure 3).\r\nAccording to the group, this individual, or at least some of the information published about him, was\r\nknown to the FBI.\r\nFigure 3: Leaked information about the APT3 member\r\nAPT 40 – Kryptonite Panda\r\nAPT 40, AKA Kryptonite Panda, is another espionage group that is related to China. It has been active for more\r\nthan a decade with operations documented since 2009 targeting governmental organizations, universities, and\r\nother tech-related sectors such as robotics across North America, Europe, and the Middle East.\r\nOnce again, BlueHornet leaked detailed information about an individual who lives in Shenzhen, China, including\r\nthe fake name he uses, links to all of his social media accounts, and showing an alarming direct link between APT\r\n40 and the Alibaba Cloud infrastructure – backed up by screenshots and documents (Figure 4).\r\nFigure 4: APT 40 member’s leaked information\r\nAPT 28 – Fancy Bear\r\nAPT 28, aka Fancy Bear, is a well-known cyberespionage group, which was linked several times in the past to\r\nGRU, the Russian military intelligence agency.\r\nhttps://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nPage 3 of 10\n\nIt is one of the most famous groups of the bunch, with operations all over the world, mainly targeting North\r\nAmerica, NATO, and Ukraine. The group was documented as being responsible for operations since 2014, but\r\nsome speculations claim that they have been operational for over a decade now.\r\nFancy Bear is likely one of the leaks that BlueHornet is very proud of.\r\nLike the rest of the information about other APTs, BlueHornet has leaked the information of Dmitriy Sergeyevich\r\nBadin, one of the FBI’s most wanted criminals (Figure 5).\r\nFigure 5: Dmitriy’s wanted ad\r\nLinked to several intelligence units of the Russian government, Dmitriy is a well-known hacker. To date, not much\r\ninformation has been revealed about him, if any.\r\nLike the others, BlueHornet published mostly private details about Dmitriy along with information about his\r\nrelatives, such as his wife (Figure 6).\r\nFigure 6: Dmitriy Sergeyevich Badin’s leaked information\r\nAPT 38 – Lazarus Group\r\nAPT 38, aka the Lazarus Group, is another well-known espionage group that has been operating since at least\r\n2009.\r\nGiven the nature of the group, Lazarus compromised a wide range of victims worldwide. Some intrusions resulted\r\nin the exfiltration of data while others were disruptive.\r\nAPT 38 campaigns also contained DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.\r\nThe group was linked to North Korea.\r\nIn this case, the person BlueHornet chose to focus on was Park Jin Hyok. This individual also on the FBI’s most-wanted list (Figure 7).\r\nFigure 7: Park Jin Hyok’s wanted ad\r\nAlong with many personal details, BlueHornet also tried to focus on the allegations against him and to find\r\nevidence of his links to moles in the US congress and oblivious companies working with North Korea (Figure 8).\r\nFigure 8: Park Jin Hyok investigations conducted by BlueHornet\r\nWhen it comes to Park, BlueHornet had much more to work with or much more interest in publishing everything\r\nthey knew about this particular individual, presumably because of his relationships with the US and NATO\r\nscandals.\r\nMarking New Targets\r\nIt seems that BlueHornet is not familiar with the term “rest” and were constantly on the lookout for new victims\r\nand threat groups they could leak.\r\nhttps://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nPage 4 of 10\n\nA relatively new ransomware group named Stormous announced that they are about to target French entities in the\r\ncoming weeks. As expected, it didn’t take too much time for BlueHornet to reply to their announcement with\r\n“Stormouse, you’re next” (Figure 9).\r\nFigure 9: BlueHornet’s announcement that is was going after Stormous\r\nDrawing The Heat\r\nAs expected, BlueHornet is drawing a lot of heat mostly from Russian and Chinese threat groups.\r\nIn addition to publicly sharing information about their exploits on their Twitter account, BlueHornet also shares\r\ninformation about the compromise attempts (Figure 10).\r\nFigure 10: BlueHornet announcement about Russian actors trying to breach their Twitter account\r\nHunting China and Russia\r\nBlueHornet is by any means not a copycat of the Lapsus$ group, but one thing they have adopted is Lapsus$’s\r\n“Next Victim” polls.\r\nAs their followers’ numbers increase by the hour, they prefer an interactive approach with their crowd and let\r\nthem decide who the next victims or industry will be (Figures 11, 12).\r\nFigure 11: BlueHornet’s Poll on what industry should they go after\r\nFigure 12: BlueHornet’s poll on who will be the next individual they will leak\r\nWhile it seemed that BlueHornet is the ultimate vigilante against the APTs of Russia, China, North Korea and\r\nIran, they are also responsible for major data breaches and leaks of big organizations in these countries too.\r\nBlueHornet’s leak channel is their Telegram channel (Figure 13) and a known breach forum named\r\nBreachForums. Their Telegram channel already has more than 1000 subscribers and was created on March 22nd.\r\nFigure 13: BlueHorne’s Telegram channel\r\nAlibaba Cloud\r\nOne of the most dominant organizations in China is Alibaba. With allegations of having APT infrastructures\r\ndeployed in their cloud services, Alibaba seemed like an obvious target.\r\nOn March 30, BlueHornet published 30GB of sensitive information on the known leak site Breached.Co and\r\nannounced it on their Telegram channel (Figure 14).\r\nFigure 14: BlueHornet publishing Alibaba Cloud leaks on Telegram\r\nWeChat\r\nhttps://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nPage 5 of 10\n\nWeChat is a well-known instant messaging application in China, and is broadly used by its citizens. On March 28,\r\nBlue Hornet announced: “WeChat data coming soon”.\r\nNo more than 12 hours later, they published the source code of the application on their Telegram (Figure 15),\r\nusing the anonymous file sharing platform Anonfiles.\r\nFigure 15: WeChat source code leak\r\nMyBank\r\nIn their pursuit of compromising and leaking major Chinese organizations, BlueHornet published sensitive\r\ninformation about the first internet-based bank in China, “MyBank”.\r\nOn April 9, BlueHornet announced the leak on their Telegram channel, as they do with all of their victims (Figure\r\n16).\r\nFigure 16: MyBank leak on BlueHornet’s Telegram channel\r\nAmazon China\r\nAmazon, possibly the most frightening victim on BlueHornet’s list, was also breached by the group (Figure 17).\r\nIn this case, we saw that the group was targeting Amazon, but only in China.\r\nFigure 17: BlueHornet announced a breach of Amazon China\r\nAlthough we have only mentioned four victims out of the long list of compromised organizations, it seems that\r\nBlueHornet is mainly focusing on organizations from the finance, technology and government sectors in China,\r\nRussia, North Korea and Iran.\r\nWho is BlueHornet?\r\nSo given all their exploits and extremely daring campaigns, the only question left unanswered is who is\r\nBlueHornet? Are they the next generation Anonymous? Are they a hero in our story, or just another group taking\r\nlaw and order into their own hands?\r\nAlthough many hacktivist groups are going as a “movement” containing tens and hundreds of thousands of\r\nmembers, BlueHornet seems to be comprised of very few people and claims they are only five members, which is\r\nvery surprising given the effect they have.\r\nAgainstTheWest is From The West?\r\nIn an interview BlueHornet gave to databreaches.net, the group does not say where they are from exactly, but\r\ngives several hints, saying that they “have some political protection in place.” and joking about “being drone\r\nstriked and poisoned”. The assumption is that the group originated in North America or another NATO country.\r\nhttps://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nPage 6 of 10\n\nWhile assessing their social management and communication with their audience, it seems that BlueHornet is a\r\ngroup of adults. They do not play any attention or ego games, and their exploits are straightforward without any\r\nneed to “show off”, so to speak.\r\nBlueHornet insists that they will never target western countries, governments, persons, or companies at all.\r\nHospitals and schools are also off-limits.\r\nGiven an opportunity to get some answers from the group by threat analyst Tom Malka (Figure 18), it appears that\r\nthe group is currently looking to assert as much pressure as possible on big organizations and governments in\r\norder to end the conflict.\r\nFigure 18: BlueHornet talking about their intentions\r\nSkilled Vigilante\r\nBlueHornet is no script-kiddies and certainly no Anonymous. Looking at their exploits and their compromised\r\npersonas and organizations, we can make a fair assessment of their talent.\r\nWhen introducing themselves, it seems that the members of the group claim to be ex-intelligence figures holding\r\nseveral certificates and degrees such as CIE, CEH V10, CISSP and Masters in Cyber Security and Computer\r\nScience.\r\nIn addition, they also claim that the group’s members work in the ethical hacking sector, helping government\r\nagencies since the start of the Ukraine invasion, mostly in Germany and the US.\r\nWhile the tools BlueHornet use are not familiar but purported to be “manual only”, they have claimed to possess\r\nseveral zero-day vulnerabilities in the following systems:\r\nDjango (Latest Version – 02/2022)\r\nBitnami\r\nGitLab\r\nSonarQube\r\nNginx\r\nNginx Zero-Day\r\nWhile we do not have any information on the group’s zero-days on Django, Bitnami, GitLab and SonarQube,\r\nBlueHornet shed some light on the recently discovered zero-day in Nginx.\r\nA major zero-day event appears to be breaking loose in the coming weeks or even days. BlueHornet with its\r\n“sister group”, BrazenEagle, discovered a zero-day vulnerability that allows a Remote Code Execution (RCE) in\r\nNginx version 1.18.\r\nAt the moment, not much is clear regarding this vulnerability, but the module related to the LDAP-auth daemon\r\nwithin Nginx is affected, and anything that involves LDAP optional logins is vulnerable as well.\r\nAlso, it seems that default and common configurations of Nginx are a good setup for exploiting this vulnerability.\r\nhttps://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nPage 7 of 10\n\nThe only information regarding mitigating some of the exploitation, ironically came from the BlueHornet group,\r\nclaiming that the ldapDaemon.enabled should be disabled and to change ldapDaemon.ldapConfig properties.\r\nIn addition to this major teaser in their GitHub account, BlueHornet also published that they are currently working\r\non a supply chain attack with BrazenEagle, probably looking to utilize this vulnerability in the process (Figure\r\n19).\r\nFigure 19: BlueHornet announcement about working with BrazenEagle on a supply chain attack\r\nThe group has announced that they have contacted Nginx in order to get paid in case they have a bug bounty\r\ngroup. Once Nginx rejected their request for bug bounty, BlueHornet looked to sell the zero-day to the highest\r\nbidder but surprisingly rejected a 200K offer from several underground forums.\r\nAllies\r\nAllies are something any threat group, of any kind, might want and need in order to get their work done. Several\r\ntimes BlueHornet has mentioned in all its communication channels their relations with hacktivist groups such as\r\nIntrusion Truth, Anonymous, Belarusian Cyber Partisans, GhostSec, Anonymous Taiwan, and PucksReturn,\r\nalthough it seems that the group that has the closest relationship with BlueHornet is BrazenEagle.\r\nThe BrazenEagle and BlueHornet alliance was published in several cases. BlueHornet has shared information with\r\nthe group regarding a campaign they ran against the Main Directorate of the General Staff of the Armed Forces of\r\nthe Russian Federation, asking for help.\r\nIn addition, the group has worked with BrazenEagle on the Nginx vulnerability zero-day and announced it on their\r\nGitHub, while suggesting that more zero-days are coming (Figure 20).\r\nFigure 20: BlueHornet announcement about their cooperation with BrazenEagle in the Nginx\r\nvulnerability\r\nFriend or Foe?\r\nIn their announcements they tend to make things very clear about their intentions – they are only targeting the\r\ncountries and sectors mentioned, and, ironically, will never go against the west.\r\nBlueHornet also insists they always share their findings with several stats intelligence agencies.\r\nIn the only interview their leader gave [3], when asked about their future, he said: “Hopefully, we can actually\r\nfinish ATW after the APT groups have been exposed and get employed by these countries we’re trying to help.”\r\nAnd they are certainly having fun with the idea, posting another poll asking their subscribers “Should we go\r\nwhitehat?” (Figure 21). The majority wanted them to stay vigilant\r\nFigure 21: BlueHornet’s poll on whether to retire and go whitehat\r\nOdd Announcement or Hard Truth\r\nhttps://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nPage 8 of 10\n\nProbably the most confusing and interesting announcement from the team since its establishment was the\r\nannouncement that they are a state-sponsored group (Figure 22).\r\nFigure 22: BlueHornet’s announcing they are nation-state sponsored\r\nThe game-changer announcement was published on April 14 and raised many questions about the group.\r\nThroughout their whole operation time, BlueHornet did not act or managed themselves as the “Typical” nation-state APT. We haven’t seen other APTs giving interviews [3] and talking publicly about their exploits,\r\ncommunicating with their followers and so on.\r\nFor example, the polls BlueHornet used are not something APTs usually do, for the simple reason, they are mostly\r\nmanaged and get instructions by the sponsoring state – not their Twitter followers.\r\nAnother unusual characteristic of the group is their allies. As mentioned, most of the groups BlueHornet talked\r\nabout in an aspect of alliances are hacktivist groups which suggested that they are also part of this community. The\r\nonly group BlueHornet was in good relations with that was not identified as hacktivists was BrazenEagle.\r\nIn addition, the hunt for APTs’ members was also unusual behavior by the typical nation-state-sponsored groups.\r\nThey are supposed to serve the country that is sponsoring them so leaking the findings should do the opposite.\r\nAll these unusual actions by the group, including talking freely about the vulnerabilities they possess and of\r\ncourse trying to sell one, raise the question, should we believe them?\r\nCyberint Research Team’s observation, in this case, is that BlueHornet did start as a hacktivist, leakage group. The\r\nmembers gave certain ethical hacking services to the governments that are siding with Ukraine in this conflict.\r\nIt seems that BlueHornet tried to become sponsored group by whatever country they originated in and what is a\r\nbetter business card than leaking your enemy’s top espionage groups?\r\nAfter getting these countries’ attention and announcing their desire to be recruited several times, we are convinced\r\nthey got recruited and were told to lay low for a while resulting in this announcement.\r\nCurtain Call\r\nAs suspected for several days, the show was about to end. In their Telegram channel. BlueHornet have deleted all\r\nthe leaks and former messages and left only three messages that are related to the Nginx vulnerability, while the\r\nlast one (Figure 23) was talking about one member that, in the last several days, revealed his intentions which\r\nwere against the ideology of the group (persuit for money) and is no longer part of it.\r\nFigure 23: BlueHornet’s last announcement in their Telegram channel\r\nThe most interesting part of the last message was the “Goodbye” BlueHornet left us with, announcing that they\r\nare going back to their “ordinary” lives “for a better future in white hat ethical hacking.”\r\nSummary\r\nhttps://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nPage 9 of 10\n\nThere is not a single doubt that BlueHornet is one of the most interesting and exciting groups that have come to\r\nthe front of the stage in 2022. Although the unfortunate reality of the Russia-Ukraine conflict has pushed these\r\nunique individuals to do what they do, this unusual group compromised infrastructures and highly dangerous\r\nindividuals that are linked, mostly, to either Russia or China.\r\nWhile their identities and origin is still unknown, their talent and the impact they had will be something to\r\nremember them by.\r\nAlong with the question rather if they are actual nation-sponsored APT or hacktivist group, many other questions\r\nremain while some might be answered in time and some will remain buried.\r\nSource: https://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nhttps://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/" ], "report_names": [ "bluehornet-one-apt-to-terrorize-them-all" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "4f472ea8-b147-486d-8533-88f8036343a6", "created_at": "2024-01-23T13:22:35.081084Z", "updated_at": "2026-04-10T02:00:03.520098Z", "deleted_at": null, "main_name": "Cyber Partisans", "aliases": [], "source_name": "MISPGALAXY:Cyber Partisans", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93b7776d-9b37-496d-94a5-30bc36fd8800", "created_at": "2023-11-07T02:00:07.10019Z", "updated_at": "2026-04-10T02:00:03.407781Z", "deleted_at": null, "main_name": "GhostSec", "aliases": [ "Ghost Security" ], "source_name": "MISPGALAXY:GhostSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "05b0c294-6e79-4d58-8291-73d2c1c7d9bd", "created_at": "2024-06-25T02:00:05.048321Z", "updated_at": "2026-04-10T02:00:03.665219Z", "deleted_at": null, "main_name": "BlueHornet", "aliases": [ "APT49", "AgainstTheWest" ], "source_name": "MISPGALAXY:BlueHornet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434890, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f00ff9af320bbdd4570e2b64e503a397746c04f3.pdf", "text": "https://archive.orkl.eu/f00ff9af320bbdd4570e2b64e503a397746c04f3.txt", "img": "https://archive.orkl.eu/f00ff9af320bbdd4570e2b64e503a397746c04f3.jpg" } }